CN104506518A - Identity authentication method for access control of MIPS (Million Instructions Per Second) platform network system - Google Patents

Identity authentication method for access control of MIPS (Million Instructions Per Second) platform network system Download PDF

Info

Publication number
CN104506518A
CN104506518A CN 201410798504 CN201410798504A CN104506518A CN 104506518 A CN104506518 A CN 104506518A CN 201410798504 CN201410798504 CN 201410798504 CN 201410798504 A CN201410798504 A CN 201410798504A CN 104506518 A CN104506518 A CN 104506518A
Authority
CN
Grant status
Application
Patent type
Prior art keywords
server
authentication
browser
user
information
Prior art date
Application number
CN 201410798504
Other languages
Chinese (zh)
Other versions
CN104506518B (en )
Inventor
陈鲁
符兴斌
李锁在
郑永飞
刘向军
韩鹏
黄明
胡春玲
徐志亮
胡松
葛江华
李亮
袁泉
李贺
肖利建
马利君
陈文静
Original Assignee
中软信息系统工程有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0815Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/083Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using passwords
    • H04L63/0846Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using passwords using time-dependent-passwords, e.g. periodically changing passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/02Network-specific arrangements or communication protocols supporting networked applications involving the use of web-based technology, e.g. hyper text transfer protocol [HTTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/30Information retrieval; Database structures therefor ; File system structures therefor
    • G06F17/30861Retrieval from the Internet, e.g. browsers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/14Network-specific arrangements or communication protocols supporting networked applications for session management
    • H04L67/146Markers provided for unambiguous identification of a particular session, e.g. session identifier, session cookie or URL-encoding

Abstract

The invention discloses an identity authentication method for access control of an MIPS (Million Instructions Per Second) platform network system. The identity authentication method adopts a mechanism of providing a login identity authentication of a browser and using different encryption algorithms to provide protection for HTTP (Hyper Text Transfer Protocol) transmission data according to an identity of a login user when the user accesses different URLs. The identity authentication method has the advantages that confirmation of identity authentication can be carried out on access of the MIPS platform network system and control of access permission can be carried out according to personal identities.

Description

^11^5平台网络系统访问控制的身份认证方法 ^ 11 ^ 5 platform authentication method of network access control system

技术领域 FIELD

[0001] 本发明涉及一种网络身份认证方法,具体地说是一种11?3平台网络系统访问控制的身份认证方法,属于网络身份认证方法领域。 [0001] The present invention relates to a network authentication method, in particular to a 11? 3 internet network authentication method of access control system, belonging to a network authentication method of the art.

背景技术 Background technique

[0002] 系统访问控制身份认证是系统审查用户身份的过程,从而确定该用户是否具有对某种资源的访问和使用权限,现有的浏览器缺乏用户访问控制身份认证验证的功能,必然存在以下的问题。 [0002] access control system authentication is the process of systematic review of user identity, to determine whether the user has permission to access and use certain resources, existing browsers lack of authentication to verify user access control functions, there must be the following The problem. 如果浏览器无法鉴别和验证用户身份,攻击者就可以轻易入侵系统。 If the browser can not identify and authenticate the user, the attacker can easily invade the system. 一方面,没有经过授权的用户很有可能当出现例如访问病毒网站、下载病毒文件等非法的操作,此时计算机很容易受到病毒和黑客威胁;另一方面,普通浏览器无用户身份权限识别,访问敏感网站时无法对使用者的操作权限进行控制,使用户没有任何拘束,甚至可以利用128站点漏洞或使用黑客手段攻击呢8站点。 On the one hand, there is no authorized user is likely illegal operation when, for example access virus Web site, download files, and so the virus appears, this time the computer is vulnerable to viruses and hacker threats; on the other hand, ordinary browser no authority to identify the user identity, operating authority can not control when the user access to sensitive sites, so users do not have any restraint, even use 128 or use site vulnerability hacking attack it 8 site.

发明内容 SUMMARY

[0003] 本发明的目的在于,针对浏览器缺乏系统访问控制身份认证的缺陷,设计了一种11?3平台网络系统访问控制的身份认证方法,通过提供浏览器的登录身份验证及根据登录用户的身份在其访问不同的口此时,使用不同加密算法对肌1? [0003] The present invention is that the lack of an access control system authentication for browser flaws, designed a 11? 3 platform authentication method for network system access control by providing a browser and login authentication based on user login the identity of its access ports at different this time, using a different encryption algorithm muscle 1? 传输数据提供保护的机制。 Provide a mechanism to transmit data protection.

[0004] 本发明的技术方案为: [0004] aspect of the present invention is:

[0005] 11?3平台网络系统访问控制的身份认证方法,所述11?3平台包括安全浏览器客户端、128服务器端和安全浏览器服务器端,所述客户端为安全浏览器终端,所述服务器端能够对安全浏览器终端的安全浏览器进行登录及系统访问控制,所述身份认证方法具体包括以下步骤: [0005] 11? 3 platform authentication method of network access control system, the 11? 3 platform includes a secure browser client, server and 128 secure browser on the server side, the client is a secure browser terminal, the said server side can login and access control security system browser secure browser terminal, the authentication method includes the following steps:

[0006] (1)浏览器认证、分组模块通过用户名、密码方式获取用户认证信息,并将该信息传输至呢8服务器端的认证服务器; [0006] (1) the browser authentication, user authentication information grouping module obtains user name, password mode, it stores the information transmitted to the server side authentication server 8;

[0007] (2)128服务器端的认证服务器收到用户信息,对其进行身份认证,如果认证失败,则返回错误信息;如果认证成功则检索该用户分组加密信息,包含及相关密码算法信息,并将该信息传输至安全浏览器服务器端; [0007] (2) 128 server-side authentication server receives the user information, its authentication, if authentication fails, an error message is returned; if the authentication is successful the user packet encrypted information is retrieved, includes cryptographic algorithms and related information, and transmit the information to the browser security server;

[0008] 安全浏览器服务器端收到该信息后,对其分组加密信息进行保存,为后续用户使用该分组内的密码算法访问呢8应用提供支撑保障; After the [0008] secured browser on the server side receives this information, to group them encrypted information stored using cryptographic algorithms within the packet for subsequent users from accessing it 8 applications to provide support guarantees;

[0009] ⑶安全浏览器客户端的用户访问时,呢8服务器端和安全浏览器服务器端根据用户在及相关密码算法对应表中进行匹配,并使用匹配得到的加密算法对网络传输数据进行加解密。 [0009] When ⑶ secure browser client user access, then 8 server and a secure browser server match associated cryptographic algorithm correspondence table according to the user and the encryption algorithm and using the matching obtained for the network to transmit data encryption and decryption .

[0010] 本发明的优点在于:通过提供浏览器的登录身份验证及根据登录用户的身份在其访问不同的口此时,使用不同加密算法对肌1? [0010] The advantage of the present invention is that: by providing the browser login and authentication according to the user logged in which case different access ports, using a different encryption algorithm muscle? 传输数据提供保护的机制,能够对平台网络系统访问进行身份认证的确认,并且可以根据个人的身份进行访问权限的控制。 Transmission of data protection mechanism to platforms for network access system to confirm identity, and can control access based on individual identity.

[0011] 下面结合附图和实施例对本发明作进一步说明。 Drawings and embodiments of the present invention will be further described [0011] below in conjunction.

附图说明 BRIEF DESCRIPTION

[0012] 图1为本发明实施例的11?3平台网络系统访问控制身份认证结构图; ? 113 internet network system [0012] FIG. 1 embodiment of the invention is a configuration diagram of an access control identity;

[0013] 图2为本发明实施例的平台网络系统访问控制身份认证流程图。 [0013] FIG. 2 internet access network system of the embodiment of the present invention is a control flowchart of authentication.

具体实施方式 detailed description

[0014] 以下对本发明的优选实施例进行说明,应当理解,此处所描述的优选实施例仅用于说明和解释本发明,并不用于限定本发明。 [0014] Hereinafter, preferred embodiments of the present invention will be described, it should be understood that the preferred embodiments described herein are only used to illustrate and explain the present invention and are not intended to limit the present invention.

[0015] 实施例1 [0015] Example 1

[0016] 如图1-2所示,一种11?3平台网络系统访问控制的身份认证方法,所述平台包括安全浏览器客户端、呢8服务器端和安全浏览器服务器端,所述客户端为安全浏览器终端,所述服务器端能够对安全浏览器终端的安全浏览器进行登录及系统访问控制,所述身份认证方法具体包括以下步骤: [0016] As shown a 11? 3 internet network authentication method of access control system, the platform comprises secure browser client 1-2, and then the server 8 browser security server, the client terminal end is a secure browser, the server can be logged and the system access control to a secure browser secure browser terminal, the authentication method includes the following steps:

[0017] 1、用户八打开浏览器在浏览器认证、分组模块的输入框输入用户名和密码,并且发送用户信息到呢8服务器端的登录分组服务器; [0017] 1, eight user opens a browser in the browser authentication, grouping module input box to enter a user name and password, and sends the user to the login information packet server it 8 server;

[0018] 2、登录分组服务器验证用户名和密码的合法性,如果认证失败,则返回错误信息;若合法性通过,返回用户八可以访问的列表信息,这些信息用户不可见,使用户八访问 [0018] 2, logon packet server to verify the legitimacy of the user name and password, if authentication fails, an error message is returned; if legitimacy through, return to the list of eight users can access information, the information invisible to the user, allowing users to access eight

列表中的地址,可以正常访问该网站;包含口此⑴此1、口此2、口1^4)及相关密码算法信息(密码1或秘钥1、密码2或秘钥2、密码3或秘钥3、密码4或秘钥4……),并将该信息传输至安全浏览器服务器端; List of addresses, you can visit the site properly; includes opening this ⑴ this one, opening this 2, port 1 ^ 4) and associated cryptographic algorithm information (password 1 or keys 1, 2 password or keys 2, code 3 or 3 keys, keys or passwords 4 4 ......), and transmits the information to the browser security server;

[0019] 同时,安全浏览器服务器端收到该信息后,对其分组加密信息进行保存,为后续用户使用该分组内的密码算法访问呢8应用提供支撑保障; After the [0019] Meanwhile, a secured browser on the server side receives this message, it is saved encrypted information packet, providing support security of cryptographic algorithms within the application packet access it 8 for subsequent users;

[0020] 如果用户8正常登录浏览器,但是此用户的访问列表中不包含此用户4可以访问的1此,则用户8访问刚才4用户访问的1此,不可以正常访问该网站。 [0020] If the normal login user 8 browser, but this user access list does not contain the user 41 this, the user can access just access 8 4 1 This user access, can not normally access the site.

[0021] (3)安全浏览器客户端的用户访问口此时,呢8服务器端和安全浏览器服务器端根据用户在及相关密码算法对应表中进行匹配,并使用匹配得到的加密算法对网络传输数据进行加解密。 [0021] (3) secure browser client user access port In this case, it 8 server and secure browser server encryption algorithm matching associated cryptographic algorithm correspondence table, and using the matching obtained for network transmission according to the user and data encryption and decryption.

[0022] 例如,若128应用服务器1⑴此1)的128中间件采用密码1或秘钥1的方式进行加解密,则一般用户访问[此1,通过[此1匹配密码算法,使用密码1进行肌1? [0022] For example, if the application server 128 of this 1⑴ 1) using the middleware 128 or the cryptographic keys 1 1 encryption and decryption, is generally user accesses [this one, by [this cipher algorithm matching, password 1 1 muscle? 加解密操作;若128应用服务器2⑴此4)的128中间件采用密码3或秘钥3的方式进行加解密,则一般用户访问[此4,通过[此4匹配密码算法,使用密码3进行!III? Encryption and decryption operations; 128 application server if this 2⑴ 4) of intermediate 128 using the cryptographic keys 3 or 3 encryption and decryption, is generally user accesses [this 4 by [this cipher algorithm matching 4, 3 password! III? 加解密操作。 Encryption and decryption operations.

[0023] 另外,配置管理员通过登录认证服务器(即登录分组服务器)管理平台,可修改用户、[此、密码等匹配信息。 [0023] In addition, the configuration administrator login authentication server (ie login packet server) management platform, users can modify, [this, passwords and other information match.

[0024] 最后应说明的是:以上所述仅为本发明的优选实施例而已,并不用于限制本发明,尽管参照前述实施例对本发明进行了详细的说明,对于本领域的技术人员来说,其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换。 [0024] Finally, it should be noted that: the above embodiments are only preferred embodiments of the present invention, but the present invention is not intended to limit the present invention. Although the detailed description of the embodiments, those skilled in the art that aspect, each of which can still be described embodiments of the foregoing embodiment may be modified, or some technical features equivalents. 凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。 Any modification within the spirit and principle of the present invention, made, equivalent substitutions, improvements, etc., should be included within the scope of the present invention.

Claims (2)

  1. 1.11?8平台网络系统访问控制的身份认证方法,其特征在于:所述11?3平台包括安全浏览器客户端、128服务器端和安全浏览器服务器端,所述客户端为安全浏览器终端,所述服务器端能够对安全浏览器终端的安全浏览器进行登录及系统访问控制,所述身份认证方法具体包括以下步骤: (1)浏览器认证、分组模块通过用户名、密码方式获取用户认证信息,并将该信息传输至呢8服务器端的认证服务器; ⑵呢8服务器端的认证服务器收到用户信息,对其进行身份认证,如果认证失败,则返回错误信息;如果认证成功则检索该用户分组加密信息,包含及相关密码算法信息,并将该信息传输至安全浏览器服务器端; (3)安全浏览器客户端的用户访问口此时,呢8服务器端和安全浏览器服务器端根据用户在及相关密码算法对应表中进行匹配,并使用匹配得到的加密算法 ? 1.11 8 internet network authentication system access control method, wherein:? The platform 113 comprises a secure browser client, the server 128 and browser security server, the client terminal is a secure browser, the server is capable of a secure browser secure browser terminal registration and access control system, the authentication method includes the following steps: (1) the browser authentication module packet username, password, user authentication information obtaining mode and the information transmitted to it 8 server side authentication server; ⑵ do server-side authentication server 8 receives the user information, its authentication, if authentication fails, an error message is returned; if the authentication is successful then retrieve that user packet encryption information, including cryptographic algorithms and related information, and the information is transmitted to a secured browser on the server side; (3) safety browser client user access port at this time, it 8 server and a secured browser on the server side and in accordance with the relevant user cipher algorithm matching correspondence table, and uses the encryption algorithm for matching obtained 对网络传输数据进行加解密。 Network transmission of data encryption and decryption.
  2. 2.根据权利要求1所述的平台网络系统访问控制的身份认证方法,其特征在于:所述步骤(2)安全浏览器服务器端收到该信息后,对其分组加密信息进行保存,为后续用户使用该分组内的密码算法访问呢8应用提供支撑保障。 The internet network system according to claim 1, a method of controlling access authentication, characterized in that: after the step (2) the browser security server received the message, the encrypted information packet to its stored, for subsequent users using cryptographic algorithms within the packet access it 8 applications support guarantee.
CN 201410798504 2014-12-22 2014-12-22 Mips platform for network authentication system access control method CN104506518B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201410798504 CN104506518B (en) 2014-12-22 2014-12-22 Mips platform for network authentication system access control method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201410798504 CN104506518B (en) 2014-12-22 2014-12-22 Mips platform for network authentication system access control method

Publications (2)

Publication Number Publication Date
CN104506518A true true CN104506518A (en) 2015-04-08
CN104506518B CN104506518B (en) 2018-07-24

Family

ID=52948233

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201410798504 CN104506518B (en) 2014-12-22 2014-12-22 Mips platform for network authentication system access control method

Country Status (1)

Country Link
CN (1) CN104506518B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105306473A (en) * 2015-11-05 2016-02-03 北京奇虎科技有限公司 Method, client, server and system for preventing injection attacks

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010045451A1 (en) * 2000-02-28 2001-11-29 Tan Warren Yung-Hang Method and system for token-based authentication
CN1855814A (en) * 2005-04-29 2006-11-01 中国科学院计算机网络信息中心 Safety uniform certificate verification design
CN101815091A (en) * 2010-03-12 2010-08-25 薛明 Cipher providing equipment, cipher authentication system and cipher authentication method
CN102833214A (en) * 2011-06-14 2012-12-19 赛酷特(北京)信息技术有限公司 Webpage login system and method based on credential
CN103634307A (en) * 2013-11-19 2014-03-12 北京奇虎科技有限公司 Method for certificating webpage content and browser

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010045451A1 (en) * 2000-02-28 2001-11-29 Tan Warren Yung-Hang Method and system for token-based authentication
CN1855814A (en) * 2005-04-29 2006-11-01 中国科学院计算机网络信息中心 Safety uniform certificate verification design
CN101815091A (en) * 2010-03-12 2010-08-25 薛明 Cipher providing equipment, cipher authentication system and cipher authentication method
CN102833214A (en) * 2011-06-14 2012-12-19 赛酷特(北京)信息技术有限公司 Webpage login system and method based on credential
CN103634307A (en) * 2013-11-19 2014-03-12 北京奇虎科技有限公司 Method for certificating webpage content and browser

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105306473A (en) * 2015-11-05 2016-02-03 北京奇虎科技有限公司 Method, client, server and system for preventing injection attacks
CN105306473B (en) * 2015-11-05 2018-06-22 北京奇虎科技有限公司 Species prevent injection attack method, the client, server and systems

Also Published As

Publication number Publication date Type
CN104506518B (en) 2018-07-24 grant

Similar Documents

Publication Publication Date Title
Hodges et al. Http strict transport security (hsts)
Sun et al. The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems
US7257836B1 (en) Security link management in dynamic networks
US8332627B1 (en) Mutual authentication
US20080276098A1 (en) One-time password access to password-protected accounts
Karlof et al. Dynamic pharming attacks and locked same-origin policies for web browsers
US20120297187A1 (en) Trusted Mobile Device Based Security
Sun et al. oPass: A user authentication protocol resistant to password stealing and password reuse attacks
US20100017860A1 (en) Authentication system and authentication method
US20090307486A1 (en) System and method for secured network access utilizing a client .net software component
US8302170B2 (en) Method for enhancing network application security
US20060265446A1 (en) Dynamic executable
US20090259838A1 (en) Hardware-Bonded Credential Manager Method and System
US20100318802A1 (en) Systems and methods for establishing a secure communication channel using a browser component
US20080240447A1 (en) System and method for user authentication with exposed and hidden keys
US20090007243A1 (en) Method for rendering password theft ineffective
Li et al. The Emperor's New Password Manager: Security Analysis of Web-based Password Managers.
Jackson et al. Forcehttps: protecting high-security web sites from network attacks
US20100199086A1 (en) Network transaction verification and authentication
US20080148057A1 (en) Security token
US20080276309A1 (en) System and Method for Securing Software Applications
US20130198065A1 (en) Adaptive name resolution
CN1946022A (en) Method and system for switching third party landing and third party network and service server
Huang et al. Using one-time passwords to prevent password phishing attacks
CN103179134A (en) Single sign on method and system based on Cookie and application server thereof

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
GR01